AWS Basics - Beginner's Guide to IAM

IAM (Identity Access Management)

IAM allows you to manage users, groups, roles and their corresponding level of access to the AWS platform.

IAM is universal. It doesn’t apply to regions at this time.

Root account vs IAM user

The root account has full admin access and it shouldn’t be used on daily basis. Instead, an IAM user account should be used for day to day tasks.

Always select the region closest to you when beginning to work with AWS.

Adding a user to IAM

1. Go to IAM Dashboard
2. Click on Add user
3. Add User name and Access type: Programmatic access / AWS Management Console access
4. Add group
5. Add tags (optional)
6. Create user

Sign in as an IAM user

To sign in as an IAM user, you need the 12 digit account number. This number can be found in Users/Summary in User ARN field as arn:aws:iam::<account_number>:user/<user_name>.

Or you can instead setup an alias for IAM users to sign in from the IAM dashboard.

The sign in URL for IAM users would look like: https://CUSTOMER_ACCOUNT_NUMBER.signin.aws.amazon.com/console. CUSTOMER_ACCOUNT_NUMBER can be replaced with either the alias or the account number.

AWS access types

Available methods to enable access to AWS when adding a new user:

1. Programmatic access: Enables an access key ID and secret access key for dev; secret access key is only available when we first create a user
2. AWS Management Console access: Enables a password to sign-in from AWS Management Console along with the user name.

Security best practices in IAM

1. Delete your root access keys
2. Activate MFA on your root account
3. Create individual IAM users
4. Use groups to assign permissions
5. Apply an IAM password policy for password complexity and lifecycle management - Define a set of rules that an IAM user should follow when setting a password.

Setting permissions for a user

Different ways of setting permissions for a new user are as follows:

1. Add user to group
2. Copy permissions from existing user
3. Attach existing policies directly

IAM Roles

IAM roles are a secure way to grant permissions to entities that you trust.

Examples of entities include the following:

• IAM user in another account
• Application code running on an EC2 instance that needs to perform actions on AWS resources
• An AWS service that needs to act on resources in your account to provide its features
• Users from a corporate directory who use identity federation with SAML(Security Assertion Markup Language 2.0)

IAM roles issue keys that are valid for short durations, making them a more secure way to grant access.

IAM Policy

An IAM policy is a JSON document which defines one or more permissions.

Testing IAM permissions

IAM Policy Simulator can be used to do the following:

1. Test IAM permissions before we commit them to production
2. Validate that a policy works as expected
3. Test policies already attached to existing users

Key IAM Terminologies

USERS - End users

GROUPS - A collection of users under one set of permissions

ROLES - Create roles and assign them to AWS resources

POLICY - A document that defines one (or more) permissions - Can be attached to a user, a group or a role.